Stored image privacy violation detection method and system

ABSTRACT

Methods and systems for detecting a privacy violation in an image file. A policy to be used by a master imaging application is obtained and a file system is monitored for a digital image modified by a monitored imaging application. It is then determined that the digital image file includes at least some content in violation of a defined setting for the master imaging application and, based on the determination that the digital image file includes at least some content in violation of the defined setting for the master imaging application, taking an action.

FIELD

The present application generally relates to sensitive information indigital images, and more particularly, to identifying sensitiveinformation in digital images and sanitizing digital images.

BACKGROUND

Digital images may contain sensitive information. In some cases, thesensitive information that is displayed in digital images isconfidential corporate information.

In some other cases, the sensitive information is hidden from users.Electronic devices such as smartphones are often equipped with cameraapplications that add metadata to every photograph taken. For example, aglobal positioning system (GPS) enabled camera application may include,in a digital image, the exact location coordinates and time the imagewas captured. Users may not be aware that the digital image containssuch sensitive information.

Users may share digital images with parties outside of an organizationwithout realizing that they may also be sharing sensitive information.It would be advantageous to be able to ensure that digital images meet acertain level of privacy.

BRIEF DESCRIPTION OF THE DRAWINGS

Reference will now be made, by way of example, to the accompanyingdrawings which show example embodiments of the present application, andin which:

FIG. 1 is a schematic diagram illustrating an operating environment ofan example embodiment;

FIG. 2 is a block diagram illustrating components of an exampleembodiment of the mobile computing system of FIG. 1;

FIG. 3 shows a flowchart illustrating an example method of removingsensitive information from a digital image;

FIG. 4 shows a flowchart illustrating an example method of detecting aprivacy violation by a digital image file;

FIG. 5 is an illustration of the front view of an example electronicdevice displaying an option to share a digital image;

FIG. 6 is an illustration of the front view of an example electronicdevice displaying a list of applications; and

FIG. 7 is an illustration of an example digital image containingsensitive information, including a depiction of a stack of paper and asmartphone.

FIG. 8 is an illustration of the digital image of FIG. 7 after beingsanitized.

FIG. 9 is an illustration of an example digital image containingsensitive information, including a depiction of a computer monitordisplaying text.

FIG. 10 is an illustration of the digital image of FIG. 9 after beingsanitized.

Similar reference numerals may have been used in different figures todenote similar components.

DESCRIPTION OF EXAMPLE EMBODIMENTS

In a first aspect, the present application describes acomputer-implemented method of detecting a privacy violation in an imagefile. The method includes: obtaining a policy to be used by a masterimaging application; monitoring a file system for a digital image filemodified by a monitored imaging application; determining that thedigital image file includes at least some content in violation of adefined setting for the master imaging application; and in response todetermining that the digital image file includes at least some contentin violation of the defined setting for the master imaging application,taking an action.

In some embodiments, monitoring the file system for the digital imagefile modified by the monitored imaging application includes continuouslymonitoring the file system and automatically detecting, in real-time,the modification of the digital image file by the monitored imagingapplication.

In some embodiments, monitoring the file system for the digital imagefile modified by the monitored imaging application includesautomatically periodically scanning the file system for a digital imagefile modified by the monitored imaging application.

In some embodiments, monitoring the file system for the digital imagefile modified by the monitored imaging application includes, in responseto input received at an input interface, scanning the file system for adigital image file modified by the monitored imaging application.

In some embodiments, taking the action involves processing the digitalimage file to modify the at least some content.

In some embodiments, taking the action involves generating anotification based on the violation.

In some embodiments, the notification identifies the monitored imagingapplication.

In some embodiments, the notification prompts for adjusting a settingassociated with the monitored imaging application.

In some embodiments, the notification provides an option to modify thedigital image file to comply with the policy.

In some embodiments, the method may further include receiving input atan input interface selecting the option to modify the digital image fileto comply with the policy and in response to receiving input from aninput interface selecting the option to modify the digital image file,modifying the digital image file.

In another aspect, the present application describes computing devicesconfigured to implement such methods.

In another aspect, the present application describes a computing device.The computing device includes a memory and a processor coupled with thememory. The processor is configured to: obtain a policy to be used by amaster imaging application; monitor a file system for a digital imagefile modified by a monitored imaging application; determine that thedigital image file includes at least some content in violation of adefined setting for the master imaging application; and in response todetermining that the digital image file includes at least some contentin violation of the defined setting for the master imaging application,take an action.

In some embodiments, the processor configured to monitor the file systemfor the digital image file modified by the monitored imaging applicationincludes the processor configured to continuously monitor the filesystem and automatically detect, in real-time, the modification of thedigital image file by the monitored imaging application.

In some embodiments, the processor configured to monitor the file systemfor the digital image file modified by the monitored imaging applicationincludes the processor configured to automatically periodically scan thefile system for a digital image file modified by the monitored imagingapplication.

In some embodiments, the processor further configured to take the actionincludes the processor configured to process the digital image file tomodify the at least some content

In some embodiments, the processor further configured to take the actionincludes the processor configured to generate a notification based onthe violation.

In some embodiments, the notification identifies the monitored imagingapplication.

In some embodiments, the notification prompts for adjusting a settingassociated with the monitored imaging application.

In some embodiments, the notification provides an option to modify thedigital image file to comply with the policy.

In some embodiments, the processor is further configured to: receiveinput at an input interface selecting the option to modify the digitalimage file to comply with the policy; and in response to receiving inputfrom an input interface selecting the option to modify the digital imagefile, modify the digital image file.

In some embodiments, the processor configured to monitor a file systemfor a digital image file modified by a monitored imaging applicationincludes the processor configured to, in response to input received atan input interface, scan the file system for a digital image filemodified by the monitored imaging application.

In another aspect, the present application describes a non-transitorycomputer-readable storage medium storing processor-executableinstructions to detect a privacy violation in an image file. Theprocessor-executable instructions, when executed by a processor, maycause the processor to: obtain a policy to be used by a master imagingapplication; monitor a file system for a digital image file modified bya monitored imaging application; determine that the digital image fileincludes at least some content in violation of a defined setting for themaster imaging application; and in response to determining that thedigital image file includes at least some content in violation of thedefined setting for the master imaging application, take an action.

Other aspects and features of the present application will be understoodby those of ordinary skill in the art from a review of the followingdescription of examples in conjunction with the accompanying figures.

In the present application, the terms “about”, “approximately”, and“substantially” are meant to cover variations that may exist in theupper and lower limits of the ranges of values, such as variations inproperties, parameters, and dimensions. In a non-limiting example, theterms “about”, “approximately”, and “substantially” may mean plus orminus 10 percent or less.

In the present application, the term “and/or” is intended to cover allpossible combinations and sub-combinations of the listed elements,including any one of the listed elements alone, any sub-combination, orall of the elements, and without necessarily excluding additionalelements.

In the present application, the phrase “at least one of . . . or . . . ”is intended to cover any one or more of the listed elements, includingany one of the listed elements alone, any sub-combination, or all of theelements, without necessarily excluding any additional elements, andwithout necessarily requiring all of the elements.

Reference is first made to FIG. 1, which is a schematic diagramillustrating an operating environment of an example embodiment. Thenetwork 120 is a computer network. The network 120 allows computersystems in communication therewith to communicate. For example, asillustrated, the network 120 allows the mobile computer system 100 tocommunicate with the target computer system 110. The network 120 may beused by the mobile computer system 100 share an image with the targetcomputer system 110. The target computer system 110 may be adapted todisplay the digital image on a display interface.

Each of the mobile computer system 100 and the target computer system110 may be in geographically disparate locations. Put differently, themobile computer system 100 may be remote to the target computer system110.

Each of the mobile computer system 100 and the target computer system110 are, or include, one or more computing devices. The mobile computersystem 100 may, as illustrated, be a smartphone. The target computersystem 110 may, as illustrated, be a laptop computer. Alternatively, themobile computer system 100 and the target computer system 110 may be, ormay include, a device of another type such as, for example, a personalcomputer, a laptop computer, a tablet computer, a notebook computer, ahand-held computer, a personal digital assistant, a wearable computingdevice (e.g., a smart watch, a wearable activity monitor, wearable smartjewelry, and glasses and other optical devices that include opticalhead-mounted displays), or any other type of computing device that maybe configured to store data and software instructions, and executesoftware instructions to perform operations consistent with disclosedembodiments.

In some embodiments, each of the mobile computer system 100 and thetarget computer system 110 may include multiple computing devices suchas, for example, email servers, web servers, database servers, socialnetworking servers, file transfer protocol (FTP) servers, and the like.The multiple computing devices may be in communication using a computernetwork. For example, in some embodiments, the mobile computer system100 is a laptop computer and the target computer system 110 is a photoand video-sharing social networking service. In some embodiments, it isthe mobile computer system 100 that is or is a component of a photo andvideo-sharing social networking service and the target computer system110 is a desktop computer that is a client of the social networkingservice.

Reference is made to FIG. 2, which illustrates a block diagram of anexample embodiment of the mobile computing system 100 of FIG. 1. In anexample embodiment, the computing device 200 may be a mobilecommunication device. The mobile communication device may be configuredfor two-way communication, having data and optionally voicecommunication capabilities, and the capability to communicate with othercomputer systems, e.g. via the internet. In some embodiments, thecomputing device 200 may take other forms, such as smartwatches,computers, tablets, laptops, or any other electronic device configuredfor connection over wireless networks.

The computing device 200 of FIG. 2 may include a housing (not shown)which houses components of the computing device 200. Internal componentsof the computing device 200 may be constructed on a printed circuitboard (PCB). The computing device 200 includes a controller including atleast one processor 240 (such as a microprocessor) which controls theoverall operation of the computing device 200. The processor 240interacts with device subsystems, such as a wireless communicationsubsystem 211, for exchanging radio frequency signals with a wirelessnetwork to perform communication functions. The processor 240 interactswith additional device subsystems including one or more input interfaces(which may include, without limitation, any of the following: one ormore cameras 280, a keyboard, one or more control buttons, one or moremicrophones 258, a gesture sensor, and/or a touch-sensitive overlayassociated with a touchscreen display), flash memory 244, random accessmemory (RAM) 246, read only memory (ROM) 248, auxiliary input/output(I/O) subsystems 250, a data port 252 (which may be a serial data port,such as a Universal Serial Bus (USB) data port), one or more outputinterfaces (such as a display 204), one or more speakers 256, or otheroutput interfaces), a short-range communication subsystem 262, and otherdevice subsystems generally designated as 264.

In some example embodiments, the auxiliary input/output (I/O) subsystems250 may include an external communication link or interface, forexample, an Ethernet connection. The communication subsystem 211 mayinclude other wireless communication interfaces for communicating withother types of wireless networks, e.g. Wi-Fi networks.

In some example embodiments, the computing device 200 also includes aremovable memory module 230 (typically including flash memory) and amemory module interface 232. Network access may be associated with asubscriber or user of the computing device 200 via the memory module230, which may be a Subscriber Identity Module (SIM) card for use in aGSM network or other type of memory module for use in the relevantwireless network type. The memory module 230 may be inserted in orconnected to the memory module interface 232 of the computing device200.

The computing device 200 may store data 227 in an erasable persistentmemory, which in one example embodiment is the flash memory 244. In someexample embodiments, the data 227 may include service data havinginformation required by the computing device 200 to establish andmaintain communication with a wireless network. The data 227 may alsoinclude user application data such as messages (e.g. emails, texts,multimedia messages, etc.), address book and contact information, cameradata, calendar and schedule information, notepad documents, image files,and other commonly stored user information stored on the computingdevice 200 by its users, and other data.

The data 227 stored in the persistent memory (e.g. flash memory 244) ofthe computing device 200 may be organized, at least partially, into anumber of databases or data stores each containing data items of thesame data type or associated with the same application. For example,image files, email messages, contact records, and task items may bestored in individual databases within the computing device 200 memory.

The short-range communication subsystem 262 provides for communicationbetween the computing device 200 and different systems or devices, whichneed not necessarily be similar devices. For example, the short-rangecommunication subsystem 262 may include an infrared device andassociated circuits and components, a wireless bus protocol compliantcommunication mechanism such as a Bluetooth® communication module toprovide for communication with similarly-enabled systems and devices,and/or a near-field communication (NFC) interface.

The computing device 200 includes one or more cameras 280. The cameras280 are configured to generate camera data, such as images in the formof still photographs and/or video data. The camera data may be capturedin the form of an electronic signal which is produced by an image sensorassociated with the cameras 280. More particularly, the image sensor isconfigured to produce an electronic signal in dependence on receivedlight. The image sensor converts an optical image into an electronicsignal, which may be output from the image sensor by way of one or moreelectrical connectors associated with the image sensor. The electronicsignal represents electronic image data, which may be referred to ascamera data.

A set of applications that control basic device operations, includingdata and possibly voice communication applications, may be installed onthe computing device 200 during or after manufacture. Additionalapplications and/or upgrades to an operating system 222 or softwareapplications 224 may also be loaded onto the computing device 200through the wireless network, the auxiliary I/O subsystem 250, the dataport 252, the short-range communication subsystem 262, or other suitabledevice subsystems 264. The downloaded programs or code modules may bepermanently installed; for example, written into the program memory(e.g. the flash memory 244), or written into and executed from the RAM246 for execution by the processor 240 at runtime.

The processor 240 operates under stored program control and executessoftware modules 220 stored in memory such as persistent memory, e.g. inthe flash memory 244. As illustrated in FIG. 2, the software modules 220may include operating system software 222 and one or more applications224 (or modules). Specific examples of applications that may be residenton the computing device 200 include file sharing applications and mediaapplications for capturing and/or editing one or more forms of digitalmedia including images, videos and/or sound. Specific examples of filesharing applications include an email messaging application, as well asother types of messaging applications for instant messaging (IM), shortmessage service (SMS), and social networking or messaging applications.Media applications may include imaging applications. Specific examplesof imaging applications include an image editor, a digital photographyapplication for editing digital photographs, and a camera application290 for using the cameras 280 to capture photographs and for editingphotographs.

The operating system software 222 may provide a file system for storing,modifying and accessing files held in the persistent memory (e.g. flashmemory 244) of the computing device 200. This file system may beaccessible to other programs running on the processor 240 via aprogrammatic interface provided by the operating system software 222.

Reference is made to FIG. 3, which shows, in flowchart form, an examplemethod of removing sensitive information from a digital image. Themethod 300 is performed by a computer system such as, for example, thecomputing device 200 of FIG. 2. The computer system has a processor thatis coupled with a memory. The processor is configured to perform themethod 300 and, more specifically, is configured to receive aninstruction to share a digital image, and in response to receiving theinstruction to share the digital image, determine that the digital imagecontains a depiction of a corporate display medium that is classified assensitive based on a policy, and in response to determining that thedigital image contains the depiction of the corporate display mediumthat is classified as sensitive based on the policy, process the digitalimage to modify the depiction, and share the digital image.

The method 300 starts with an operation 302. In operation 302, aninstruction is received to share the digital image. The instruction maycorrespond to or be based on input received at an input interface. Forexample, the instruction may correspond to or be triggered by a userclicking or tapping the share button 508 displayed by the electronicdevice 500 of FIG. 5. FIG. 5 is an illustration of the front view of anexample electronic device 500. The electronic device 500 may be asmartphone that implements the computing device 200 of FIG. 2. Thedisplay interface 502 shows the graphical user interface of a photogallery application. The gallery includes three digital images 506, thefirst of which is shown as selected via the checkbox user interfaceelement 504. Users are presented with, via the share button 508, theoption to share the selected photo. The share button 508 may be tappedor clicked to indicate selection of the option to share the image.

In some embodiments, the instruction to share the digital image includesan indication of the digital image file that should be shared. In oneexample, the digital image is in a JPEG file format, although otherimage formats may be used.

In response to invoking the share button 508, the display interface 502may present, as shown in FIG. 6, a list of applications that can beinvoked. The email icon 606 and ftp icon 608 may correspond to an emailapplication and an ftp application, respectively, that may be used toshare the digital image. In some cases, operations 304 and 306 in themethod 300 occur prior to displaying the list of applications to a user.The sanitization icon 604 may correspond to a sanitization applicationthat may provide options and features related to sanitizing the digitalimage prior to sharing the digital image with others. The instruction toshare the digital image may correspond to or be triggered by a userclicking or tapping the sanitization icon 604. In some embodiments, inresponse to invoking the share button 508, the sanitization applicationis launched automatically, without the list of application icons firstbeing displayed.

Following the operation 302, the method 300 includes, in operation 304,in response to receiving the instruction to share the digital image,determining that the digital image contains a depiction of a corporatedisplay medium that is classified as sensitive based on a policy. Thedigital image may comprise of one or more depictions of corporatedisplay medium. In some embodiments, a corporate display medium is acorporate medium that is configured to perform the function ofpresenting corporate information in a visual form. By way of example, acorporate display medium may comprise: a document; particular boardssuch as, for example, a whiteboard, a bulletin board, a corkboard, and ablackboard; paper and stationery supplies such as, for example, one ormore sheets of paper, a pad of paper having a plurality of paper sheets,a flipchart, ruled or lined paper, grid paper, a sticky note, anotebook, a notepad, a drawing pad, and a memo pad; particular filingsupplies such as, for example, a file folder, a label, a file label, abinder, a binder label, a storage box and a storage box label; desktopsupplies and accessories such as, for example, a paper tray and aninbox/outbox for paperwork; mailing supplies such as, for example, anenvelope and an address label; a wall or desk calendar; a name tag; anidentification or security badge; or particular electronic equipment ordevices such as, for example, a computer monitor, a projector screen, alaptop computer, a tablet computer, an internet protocol (IP) phone anda smartphone. FIG. 7

The corporate display medium may include a display surface that isconfigured to perform the function of presenting corporate informationin a visual form. Examples of display surfaces include a computermonitor screen, a smartphone screen and an internet protocol (IP) phonescreen. In some cases, the display surface may provide additionalfunctionality. In one example, the display surface comprises of atouchscreen input interface that is configured to receive input througha touch. In another example, the display surface comprises of a writingsurface of a whiteboard or a sheet of paper that is configured toreceive markings made by a human.

In some cases, the corporate display medium contains content. In otherwords, the corporate display medium presents information. For example, asheet of paper may contain markings in the form of hand writing, adrawing, or electronically or mechanically printed information. Asanother example, a computer monitor may display an electronic documentcontaining text. In some cases, the corporate display medium may becontent-free and present no corporate information. Examples ofcontent-free corporate display medium include, but are not limited to, ablank sheet of paper, a computer monitor that is turned off, and anempty sheet of lined paper.

A depiction of a corporate display medium may be classified as sensitivebased on a policy. The policy may be a sanitization policy and includean enterprise defined policy and/or a user defined policy. In someembodiments, an enterprise policy server can be used to provide policydata that is customizable on a per-user basis. In some embodiments, theenterprise policy cannot be customized on a per-user basis or overriddenby a user defined policy. The policy is generally a data structure orother information that includes a set of preferences or other criteriafor defining the behaviour of operations for sanitizing and sharing adigital image and detecting a privacy violation in an image file.Accordingly, an enterprise may use the policy to prevent the sharing orcommunication of sensitive features of digital images.

Some of the criteria may be based on characteristics of a depictedcorporate display medium. The criteria that is used to classify adepiction as sensitive may be based on, for example, the type ofcorporate display medium that is depicted, the presence or absence ofcontent in the depiction, and whether the corporate display medium has adisplay surface that is displayed or visible in the digital image. Thepolicy may contain a list of types of corporate display medium that aresensitive. In some implementations, if a particular type of corporatedisplay medium is defined as sensitive in the policy and the imagecontains a depiction of a corporate display medium of that type, thenthe depiction is classified, deemed or determined to be sensitive. Insome implementations, the policy may also require that the depictedcorporate display medium contain content in order for the depiction tobe classified or deemed as sensitive. In some implementations, thepolicy may further require that the content of the depicted corporatedisplay medium contain sensitive information in order for the depictionto be classified or deemed as sensitive. Sensitive information mayinclude, for example, a sensitive word, face, or corporate logo.

Various techniques and algorithms may be implemented to determinewhether a digital image contains a depiction of a particular corporatedisplay medium. These algorithms may rely on one or more object orpattern recognition or detection models. The algorithms that areimplemented may vary depending on the type of object being searched for.For example, the method used to detect a face may be different than themethod used to detect a computer monitor.

One approach to object recognition may involve image segmentation andblob analysis, which uses object properties such as colour, texture,shape and size. The digital image is segmented into segments or sets ofpixels that share some common visual characteristic using techniquessuch as contrast enhancement. The segmented regions or objects may besubjected to feature extraction. Typical features detected by featureextraction algorithms include edges, corners, blobs and ridges. Otherproperties such as colour, texture, shape and size of the objects mayalso be analyzed. Various rough and detailed classification steps may besuccessively applied to the objects to compare their feature sets with aset of standard patterns, such as patterns for a smartphone, a sheet ofpaper, a whiteboard and other corporate display mediums that may beclassified as sensitive based on the policy, stored in a database and todetermine the object classes.

Another approach to object recognition may involve template matching, inwhich a small image, referred to as a template image, is used to locatematching regions in a larger source image. The template image iscompared to a region of source image as the template image is slid overthe source image. The comparison involves determining the correlationbetween the template image and a region of the source image. A matchingregion is identified based on the degree of correlation between thetemplate image and the source image. The template image may be an imageof a corporate display medium that is stored in a database and thesource image may be the digital image that is being shared.

Various techniques and algorithms may be implemented to determinewhether a depiction of a particular corporate display medium iscontent-free. These algorithms may rely on one or more object or patternrecognition or detection models noted above. In some cases, a depictionmay be considered content-free if no objects, text or features, such asedges, corners, blobs or ridges, are detected in the depiction otherthan those found in a standard pattern or a template image. For example,a sheet of lined paper may be considered content-free when a pattern ofstraight, parallel, evenly spaced lines is detected in the area of theimage occupied by the sheet of lined paper, but no other features, suchas blobs, circles, non-parallel lines or other markings, are detected inthat area. In some cases, a depiction of a corporate display medium isconsidered content-free if the region of the digital image that isoccupied by display surface of the corporate display medium iscontent-free or a particular portion of the corporate display medium iscontent-free. Some algorithms may be based on examining the set ofpixels of the digital image that comprise the display surface anddetermining that the pixels have relatively the same colour. In someembodiments, a display surface may be considered content-free if theregion bounded by the display surface is filled in with a uniform colouror a colour gradient.

In some embodiments, the digital image is displayed in a graphical userinterface using a display interface. Some or all of the objects that aredetected in the digital image may be highlighted. For example, theoutline or boundaries of the corporate display medium, or parts of thecorporate display medium, for example a display surface, or objectsidentified as sensitive, may be highlighted.

Following the operation 304, the method 300 includes, at the operation306, in response to determining that the digital image contains thedepiction of a corporate display medium that is classified as sensitivebased on a policy, processing the digital image to modify the depiction.

In some embodiments, processing the digital image to modify thedepiction may involve modifying the entire depiction of the corporatedisplay medium. In some embodiments, processing the digital image tomodify the depiction may involve modifying only a portion of thedepiction, for example, a display surface of the corporate displaymedium.

The depiction may be modified in any of a number of ways. Modifying thedepiction may include blurring the depiction, or a portion thereof, inorder to reduce detail in the depiction. In some cases, blurring mayrender either the corporate display medium unrecognizable, the type ofcorporate display medium unrecognizable, or any content in the corporatedisplay medium unintelligible.

In some embodiments, processing the digital image to modify thedepiction comprises erasing the depicted corporate display medium or aportion thereof. Modifying the depiction may also involve erasing thedepiction from the digital image. Erasing the depiction may involvereplacing the area of the image occupied by the depiction of thecorporate display medium with surrounding details of the depiction. Theresult is that the depiction of the corporate display medium essentiallydisappears from the image. As an example, in the case of an imagedepicting a sheet of paper located on an otherwise empty desk, erasingthe depiction of the sheet of paper may involve replacing the area ofthe image occupied by the sheet of paper with details of the top of thedesk. The modified image would show an empty desk with no sheet of paperon the desk. This example is illustrated by FIGS. 7 and 8. FIG. 7 is anillustration of an example digital image 700 containing sensitiveinformation in the form of a stack of paper 706 and a smartphone 704.FIG. 8 is an illustration of the digital image 700 after processing. Themodified digital image 800 is sanitized to remove the sensitiveinformation. The stack of paper 706 has been erased and replaced withdetails of the top of the desk. In this case, the shade of grey of thedesk is used to fill in the area that was occupied by the stack of paper706. Note that in this example, the depiction of the computer monitor702 in FIG. 7 is not modified. The computer monitor is oriented suchthat it is back of the computer monitor 702 that is shown and thedisplay screen is not visible. No processing of the digital image 700 tomodify the computer monitor 702 is necessary. FIG. 8 shows the computermonitor 702 as unaltered.

In some embodiments, processing the digital image to modify thedepiction comprises erasing the contents of the depicted corporatedisplay medium. Erasing the contents of the depiction may involvereplacing the area of the image occupied by the contents withsurrounding details of the contents. In one example, an image may depicta sheet of lined paper containing handwriting. Erasing the contents ofthe lined sheet of paper, namely the handwriting, may involvedetermining that the lined sheet of paper contains markings, namely thehandwriting, and removing the markings from the image by filling in thearea occupied by the markings with details of the lined sheet of papersurrounding the markings. The modified image would show a depiction ofan empty sheet of lined paper. In another example, the image may depicta whiteboard containing a drawing. Erasing the contents of thewhiteboard may involve determining that the display surface of thewhiteboard contains markings, namely the drawing, and changing thecolour of the markings to match the colour of the whiteboard surfacethat surrounds the markings. Another example is illustrated by FIGS. 9and 10. FIG. 97 is an illustration of an example digital image 700containing sensitive information in the form of a computer monitor 902displaying the text 904 “Great idea!”. FIG. 10 is an illustration of thedigital image 900 after processing. The modified digital image 1000 issanitized to remove the sensitive information. The text 904 is erasedand replaced with the shades of grey that surround the text 904 in FIG.9.

In some embodiments, processing the digital image to modify thedepiction comprises replacing or overlaying the depiction or a portionthereof with a replacement object. Examples of a replacement objectinclude an icon, an emoji, a caricature, a shape, an advertisement, alogo, a depiction of a corporate display medium, a depiction of portionof a corporate display medium, and a depiction of a display surface of acorporate display medium. The replacement objects may be obtained from alibrary of objects.

In the case where the replacement object is a shape, any suitable shapeor pattern may be used. In some embodiments, the replacement shape hasthe same boundaries or outline as the object being replaced, forexample, the boundaries or outline of the sensitive depiction or thesensitive display surface. An example is illustrated by FIGS. 7 and 8.As noted above, FIG. 7 is an illustration of an example digital image700 containing sensitive information in the form of a stack of paper 706and a smartphone 704. FIG. 8 is an illustration of the digital image 700after processing. The modified digital image 800 is sanitized to removethe sensitive information. The smartphone 704 has been replaced with ablob or shape 802 of the same shape and size as the smartphone 704 thatis solid black in colour. In other words, the depiction of thesmartphone 704 has been filled in with solid black.

The replacement object may be of the same type of object as that whichis being replaced. For example, the replacement corporate display mediummay be of the same type of corporate display medium as that beingreplaced. As a more specific example, a depiction of a notepad may bereplaced by another depiction of a notepad. The replacement object mayalso be of a different type of object as that which is being replaced.For example, the replacement corporate display medium may be of adifferent type of corporate display medium as that being replaced. As amore specific example, a depiction of a notepad may be replaced by adepiction of a single sheet of paper.

In some cases, the replacement object may extend beyond the boundariesof the depiction of the corporate display medium, and in some cases thereplacement object may occupy the same area as, or less than the areaoccupied by, either the depiction of the corporate display medium or adisplay surface thereof. For example, the replacement object may be arectangle that covers the corporate display medium and extends intoother areas of the image. In another example, a replacement depiction ofa computer monitor screen may cover substantially the same area of theimage as the original depiction of a computer monitor screen.

In some embodiments, processing the digital image to modify thedepiction comprises replacing the depiction with a depiction of the sametype of corporate display medium from a library comprising a seconddigital image containing a depiction of a second corporate displaymedium. As examples, a depiction of a sheet of lined paper may bereplaced with a different depiction of a sheet of lined paper obtainedfrom a library of digital images, or a depiction of a whiteboard may bereplaced with that of another whiteboard obtained from the library.

In some embodiments, processing the digital image to modify thedepiction comprises injecting fake information into the digital image.For example, the contents of the corporate display medium may bereplaced with fake information. As more specific examples, the text on adocument may be replaced with fake text and the contents of a whiteboardmay be replaced with a fake drawing. In some implementations, injectingfake information into the digital image involves adding fake datawithout replacing another object in the digital image.

In the case of a content-free depiction of a corporate display medium,no processing of the digital image to modify the depiction may benecessary. In some embodiments, the digital image is processed only ifthe image contains a corporate display medium that is both classified assensitive and contains content. For example, in the case where the imagecontains one or more corporate display medium that are classified assensitive and contain content, and one or more corporate display mediumthat are classified as sensitive but are content-free, the image may beprocessed to modify the corporate display medium that are sensitive andcontain content and not modify the corporation display medium that aresensitive but are content-free.

In some embodiments, processing the digital image to modify thedepiction is based on input received at an input interface. For example,the extent to which the depiction is blurred may be determined based oninput received at an input interface.

In some implementations, the method 300 may further comprise, inresponse to processing the digital image to modify the depiction,generating a thumbnail image based on the digital image and includingthe thumbnail image in the metadata for the digital image.

In some cases, the digital image comprises a frame of a video and themethod 300 further comprises processing the video to modify thedepiction in a plurality of frames of the video.

The method 300 also includes, at the operation 308, sharing the digitalimage. Sharing the digital image may involve transferring, or providinga copy of, the modified digital image to a third party computing device.The original digital image may be kept intact and unmodified or may bedeleted from the file system. For example, the method 300 may beperformed by a corporate website server and the digital image may beshared by transferring the digital image to client computing systemsthat download the digital image.

Many of the embodiments described in the present application focus on acorporate display medium. However, it is understood that the presentapplication is not limited to such embodiments and that the embodimentsdescribed generally can easily be extended to digital images thatcontain other sensitive content. Examples of other sensitive content mayinclude human faces and alcoholic beverage containers, for example, awine bottle or glass, and a beer bottle, can, or mug.

In some embodiments, the method 300 may further comprise, in response toreceiving the instruction to share the digital image, identifying aparticular face in the digital image and modifying the particular face.Modifying the particular face may be performed according to thetechniques and operations described in the present application inrelation to a corporate display medium and may also include replacingthe face with a caricature. In some implementations, a particular faceis modified unless the particular face is determined to correspond to aface shown on an identification badge, for example an employeeidentification badge, and the person associated with the identificationbadge has provided their permission to include their face in digitalimages.

In some embodiments, the method 300 may further comprise, prior toprocessing, displaying the digital image, automatically preselecting thedepiction, providing an indication at the display interface of thepreselected depiction, and receiving input at an input interfacerelating to a selection of an object depicted in the digital image. Insome embodiments, input may be received at an input interface thatdeselects the automatically preselected depiction. Input may also bereceived that indicates the selection of a depiction of a corporatedisplay medium or other object that was not automatically preselected.For example, a face in the digital image may be selected. The method mayfurther involve processing the digital image to modify the selecteddepictions and objects. In the case where an automatically preselecteddepiction is deselected, no processing of the digital image to modifythe depiction may be necessary.

The selection and deselection inputs received at the input interface maybe used to update the policy in the method 300 and, for example, tochange the criteria for the types of objects are automaticallypreselected. More specifically, if a particular type of object orparticular face has been selected, the policy may be updated so that theparticular type of object or particular face will be automaticallypreselected in subsequent performances of the method 300. Accordingly,the policy may be based on input relating to a selection of an objectdepicted in a second digital image.

In some embodiments, the method 300 may further comprise displayingmetadata associated with the digital image on a display interface. Thecomputer system implementing the method 300 may include a processorcoupled with a display interface, where the processor is configured todisplay metadata associated with the digital image on the displayinterface. Examples of metadata that may be associated with a digitalimage include: description information, including a title, a subject, arating, a caption, tags and comments; origin information, including theauthors, date taken, time taken, program name, date acquired, copyrightartist, and copyright details; image information, including an imageidentifier, image dimensions, image width, image height and a thumbnailimage; camera information, including a camera maker, camera model,camera serial number, f-stop, exposure time, focal length, subjectdistance and flash mode; and file information, including a filename,file type, folder path, date created, date modified and size. Thecontents of a digital image file may include both metadata and imagedata. However, the metadata that is associated with a digital image isnot limited to the metadata located within a digital image file. Forexample, while a title, image thumbnail or copyright statement may bestored within a digital image file, a filename may be stored outside ofthe digital image file and in a file system directory. Accordingly, themetadata that is associated with a digital image may be obtained fromwithin the contents of the digital image, a location outside of thecontents of the digital image, or a combination thereof.

In some embodiments, some and not all of the metadata that is associatedwith the digital image is displayed on a display interface. Thedetermination of the metadata that should be displayed may be made onthe basis of the policy. The policy may indicate that particular fields,for example a location field, are sensitive. In some embodiments, all ofthe sensitive metadata fields are displayed. Displaying a metadata fieldmay involve displaying the field name, the field value, or both. Inembodiments where the digital image is displayed on the displayinterface, displaying the metadata may involve overlaying the digitalimage with the metadata.

In some embodiments, the method 300 may further comprise automaticallypreselecting a field of metadata associated with the digital image basedon the policy. In some embodiments, input may be received at an inputinterface that deselects the automatically preselected field ofmetadata. Input may also be received that indicates the selection of ametadata field that was not automatically preselected.

In some embodiments, the method 300 may further comprise processing themetadata to modify the preselected field. In some cases, themodification may involve removing the field by, for example, deletingthe value set for the field. In some cases, the modification may involvereplacing the field value with other information. The other informationmay be correct or fake information. As an example, an empty copyrightfield may be replaced with a correct copyright statement. As anotherexample, global positioning system (GPS) coordinates in the locationfield may be replaced with fake GPS coordinates. In some cases, themodification may involve adding a new field containing information,which may include fake information. Fake information may includeinformation that is randomly generated, for example, randomly generatedGPS coordinates.

Reference is made to FIG. 4, which shows, in flowchart form, an examplemethod of detecting a privacy violation by a digital image file. In themethod 400, reference is made to a “master” application and a“monitored” application. In the master/monitor model, a masterapplication may represent an application that has particular settingsthat should be satisfied, met, or adhered to by a monitored application.A monitored application may represent an application whose filemodification actions are monitored for violations of particular settingsof the master application.

The method 400 is performed by a computing device such as, for example,the computing device 200 of FIG. 2. The computing device has a processorthat is configured to obtain a policy to be used by a master imagingapplication, monitor a file system for a digital image file modified bya monitored imaging application, determine that the digital image fileincludes at least some content in violation of a defined setting for themaster imaging application, and in response to determining that thedigital image file includes at least some content in violation of thedefined setting for the master imaging application, take an action basedon the determination of the violation.

The master imaging application and the monitored imaging application maybe imaging applications of the same type or of different types. Forexample, the master imaging application and the monitored imagingapplication may both be camera applications for capturing photographs.As another example, the master imaging application may be a cameraapplication for capturing photographs and the monitored imagingapplication may be an editing application for altering photographscaptured by a camera application. As another example, the master imagingapplication may be the sanitization application in the example methoddescribed in FIG. 3 and the monitored imaging application may be acamera application.

The method 400 starts with an operation 402. In operation 402, a policyis obtained for use by a master imaging application. In someembodiments, the policy is substantially the same as the example policydescribed in FIG. 3. The policy may be used by the master imagingapplication to set or adjust a user preference, or be a defined, defaultor other setting. For example, the policy may adjust a location settingof the master imaging application.

It is understood that the settings of the master imaging application maybe separate and distinct from those of the monitored imagingapplication, but that the settings of each application may provide thesame or similar functionality.

A setting may correspond to one or more image metadata fields. Forexample, a setting may contain text that may be used to populate ametadata field. In some embodiments, when a photograph is taken and animage file is created, the text of copyright artist and details settingsmay be copied into respective copyright artist and details metadatafields of the image file. It is understood that other metadata fieldsmay be populated with text from other settings.

In some embodiments, a setting may enable the inclusion of a metadatafield in the digital image. Specifically, a setting may indicate that aparticular metadata field may be populated automatically by an imagingapplication when the image is modified by the imaging application. Insome cases, the setting may be set to one of two states, such as“enabled” and “disabled”. It will be appreciated that other values maybe used, for example, “on/off” or “yes/no”. As an example, a locationsetting may correspond to a location metadata field. The locationsetting may control the addition of GPS location data to the metadatacontained in digital image or video file captured by the master imagingapplication. In this example, if the setting is set to “enabled”, thenGPS location information may be added to the image metadata. If thesetting is set to “disabled”, then no GPS location information is storedin the metadata. As another example, a date setting set to “yes” mayindicate that the “date taken” metadata field should be populated withthe date on which a digital photograph was captured, and a date settingset to “no” may indicate that the “data taken” metadata field should notbe populated. As yet another example, a thumbnail setting may indicatewhether a thumbnail of the image should be generated and inserted intothe image metadata. As yet another example, there may be respectivesettings for enabling the addition of description information metadatasuch as a title, subject, rating, caption, tags, and comments.

A setting for an imaging application may also correspond to theapplication of one or more image processing functions. In someembodiments, a setting may indicate that particular image processingfunctions should be applied to an image. For example, a stamp settingmay be set to “enabled” or “stamp photos” to cause the imagingapplication to modify images to display certain information. The stampmay, for example, overlay the image with the time and date on which thephotograph was captured, the GPS altitude or location coordinates atwhich the photograph was captured, another image such as a copyrightlogo, and/or text such as a copyright statement. In some embodiments,the stamp may be formatted, for example, in the color yellow, tovisually stand out from the image. In some embodiments, the stamp may behidden in the image, blended in with colors or objects surrounding thestamp in the image, and/or be substantially transparent. In some cases,the stamp is a watermark. An application may include one or more stampsettings.

The method 400 further includes, in operation 404, monitoring a filesystem for a digital image file modified by a monitored imagingapplication. It is understood that, in some cases, monitoring the entirefile system of the computer system may be inefficient or unnecessary. Insome embodiments, only certain directories, such as an image gallerydirectory, may be monitored. In some embodiments, the file system of thecomputer system is monitored for a digital image file that is modifiedby any application or by other types of applications aside from a cameraapplication, such as a photo editing application. In some embodiments,only digital images modified by particular application(s) may bemonitored.

In some embodiments, monitoring a file system for a digital image filemodified by a monitored imaging application includes continuouslymonitoring the file system and automatically detecting, in real-time,the modification of the digital image file by the monitored imagingapplication. The monitoring may be performed by a background processthat continuously runs and monitors file system modification events,such as, for example, file creation events (indicating that a new filewas created under the monitored directory), file update events(indicating that data was written to a file), file metadata updateevents (indicating that timestamps or other file metadata were changed)and file move events (indicating that a file or subdirectory was movedto the monitored directory). In some embodiments, a digital image filemay be considered to be modified if one or more file system modificationevents occurs in relation to that file. Once a modification event isdetected, the corresponding modified file may be analyzed to determinewhether the file is an image file. Various techniques may be used todetermine the type of a file. In some cases, the determination may bebased on a filename extension and involve comparing the filenameextension of the modified file to entries in a defined list of imagefilename extensions. If the list contains the filename extension, thenthe modified file may be considered to be an image file. In someembodiments, the processes running on the computer system can bemonitored to identify the process and imaging application that modifiedthe image file. In other embodiments, there may be another triggeringevent that causes the file system to be monitored.

In some embodiments, monitoring a file system for a digital image filemodified by a monitored imaging application includes scanning the filesystem for a digital image file modified by an imaging application. Thescanning operation may be performed automatically and periodically on ascheduled basis. In some cases, the scanning operation may be performedin response to input received at an input interface. In someembodiments, the metadata that is associated with the image file, forexample the program name metadata fields, may be inspected to determinethe application that modified the digital image file. In someembodiments, the system may determine if a file has been modified sincethe file system was last monitored. This determination may involve, forexample, comparing a timestamp from a “date modified” metadata field toa timestamp of the last scan.

The method 400 further includes, in operation 406, determining that thedigital image file includes at least some content in violation of adefined setting for the master imaging application. The determinationmay involve comparing the value of a defined setting to one or moremetadata fields of the digital image file.

In some embodiments, a violation may occur if, for example, a definedsetting is set to disabled and a corresponding image metadata field ispresent and/or set. As an example, the location, date taken andthumbnail settings for the master imaging application may all be set todisabled. If the contents of the digital image file includes GPSlocation information, a date taken, or a thumbnail, this may be deemed aviolation of respective defined settings for the master imagingapplication. As another example, a disabled description setting may beviolated if the image metadata includes any of a title, subject, rating,caption, tags and comments field. As yet another example, a disabledorigin information setting may be violated if the image metadataincludes any of an author, date taken, time taken, program name, dateacquired, copyright artist, and copyright details field.

In some embodiments, a violation may occur if, for example, a definedsetting corresponding to the application of one or more image processingfunctions is disabled, yet the image processing function has beenapplied to the digital image file. As an example, if a stamp setting forthe master imaging application is set to disabled and the modifieddigital image includes a stamp, this may be considered a violation ofthe setting.

In some embodiments, a violation may occur if, for example, a particulardefined setting is enabled and includes text, yet the digital image fileincludes a corresponding metadata field that does not match the text ofthe defined setting. As an example, a violation may occur if the digitalimage file includes copyright metadata text that does not match thecopyright text of a defined setting.

In some embodiments, a violation may occur if, for example, a thumbnailsetting is enabled and the thumbnail metadata does not match orcorrespond to the digital image. In some cases, this determination mayinvolve scaling down the dimensions of the digital image to thedimensions of the thumbnail and comparing the pixels of the thumbnail tothose of the scaled down digital image. In some cases, thisdetermination may involve detecting the objects depicted in thethumbnail and the digital image and comparing the detected objects ofthe thumbnail to those of the digital image.

In some embodiments, the master imaging application and the monitoredimaging application are the same imaging application and the method 400verifies that the imaging application does not violate the imagingapplication's own settings. In some embodiments, the master imagingapplication and the monitored imaging application are distinctapplications.

Any number of suitable techniques for determining a violation arecontemplated by the present application. In some embodiments, the method400 may involve determining that the digital image file includes atleast some content depicting a corporate display medium in violation ofa policy as generally described in the example method 300 described inFIG. 3.

The method further includes, in operation 408, taking an action. Theaction may be in response to determining that the digital image fileincludes at least some content in violation of a policy or a definedsetting for the master imaging application. Other operations may alsotrigger the action taken. The action may be based on the violation andinvolve, for example, generating a notification and/or automaticallymodifying the digital image file.

In some cases, the notification may trigger a visual or audio alert thatserves to provide feedback to a user. The feedback may identify theoffending monitored imaging application and allow the user to takecorrective action to prevent the offending application from causingfurther violations. The notification may identify the monitored imagingapplication by, for example, providing the program name of the monitoredimaging application. The notification may also identify the definedsetting that has been violated.

In some cases, the notification may cause a message to be transmitted toa third party system. The notification may be conveyed to a user, acorporate privacy policy department or more than one entity.

Other actions may also be triggered by the notification. Thenotification may prompt for adjusting a setting associated with themonitored imaging application. Specifically, the notification may promptfor, for example, toggling a setting between defined values, addingtext, amending existing text, adding a date, updating a date, removingtext or removing a date. In some embodiments, the notification mayprompt for adjusting a setting associated with the monitored imagingapplication to match, mirror or comply with a policy or a correspondingdefined setting associated with the master imaging application. Thenotification may also prompt for synchronizing one or more settings ofthe monitored imaging application with a policy or one or more settingsof the master imaging application.

In the case of a violation based on a setting of the master imagingapplication that contains customizable text, the notification may promptfor editing a monitored imaging application setting. The notificationmay include text that should be used for editing the setting. Forexample, if the master imaging application contains a copyright authorsetting that is violated by a digital image file modified by themonitored imaging application, the notification may provide the name ofthe copyright author that is listed in the master imaging applicationand prompt for editing the copyright author setting in the monitoredimaging application to match the provided name In some embodiments, thenotification may prompt for removing all text from a setting of themonitored imaging application. For example, the notification may promptfor removing all copyright information in settings in the monitoredimaging application. As another example, the notification may prompt forediting or removing the content of one or more of a description, title,subject, rating, caption, tags, and comments setting of the monitoredimaging application.

In the case of a violation based on a defined setting that set to“disabled” in the master imaging application, the notification mayprompt for disabling a corresponding setting in the monitored imagingapplication. For example, if the GPS location setting for the masterimaging application is used in determining that a violation hadoccurred, the notification may prompt for disabling a GPS locationsetting for the monitored imaging application. As another example, aviolation based on one or more of a description, title, subject, rating,caption, tags, comments, author, date taken, time taken, program name,date acquired, copyright artist, copyright details, thumbnail and stampsetting of the master imaging application may cause a notificationprompting for disabling respective settings for the monitored imagingapplication.

The notification may also provide an option to modify the digital imagefile to comply with the policy or defined settings of the master imageapplication. Input may be received at in input interface that indicatesthe selection of the option to modify the digital image file to complywith the policy. The digital image file may be modified in response toreceiving such input.

Other operations may also trigger the modification of the digital imagefile. For example, the digital image file may be modified in response todetermining that the content of the digital image file or metadataassociated with the digital image file violates a policy.

The method 400 may involve modifying at least the content of the digitalimage that is in violation of the defined setting. The modification mayinclude, for example, adjusting a metadata field, removing a metadatafield that corresponds to a defined setting of the master imagingapplication that is marked as disabled, a updating metadata field tomatch the text of a defined setting for the master imaging application,generating a thumbnail and inserting the thumbnail into the metadata,and removing a stamp from the image.

In the method 400, modifying the digital image file and associatedmetadata may be generally performed according to the techniques andoperations described in the present application in relation to modifyingthe digital image in the example method 300 described in FIG. 3.

It will be appreciated that the various methods described above arepresented in flowchart form to show a sequence of operations for ease ofillustration and discussion, but that in some implementations adifferent sequence of operations may be used, additional operations maybe included, and/or some operations shown sequentially may occursimultaneously or in parallel, without changing the substance of theprocesses.

It will be understood that the applications, modules, routines,processes, threads, or other software components implementing thedescribed method/process may be realized using standard computerprogramming techniques and languages. The present application is notlimited to particular processors, computer languages, computerprogramming conventions, data structures, or other such implementationdetails. Those skilled in the art will recognize that the describedprocesses may be implemented as a part of computer-executable codestored in volatile or non-volatile memory, as part of anapplication-specific integrated chip (ASIC), etc.

Certain adaptations and modifications of the described embodiments canbe made. Therefore, the above discussed embodiments are considered to beillustrative and not restrictive.

What is claimed is:
 1. A computer-implemented method of detecting aprivacy violation in an image file, the method comprising: obtaining apolicy to be used by a master imaging application; monitoring a filesystem for a digital image file modified by a monitored imagingapplication; determining that the digital image file includes at leastsome content in violation of a defined setting for the master imagingapplication; and in response to determining that the digital image fileincludes at least some content in violation of the defined setting forthe master imaging application, taking an action.
 2. The method of claim1, wherein monitoring the file system for the digital image filemodified by the monitored imaging application comprises continuouslymonitoring the file system and automatically detecting, in real-time,the modification of the digital image file by the monitored imagingapplication.
 3. The method of claim 1, wherein monitoring the filesystem for the digital image file modified by the monitored imagingapplication comprises automatically periodically scanning the filesystem for a digital image file modified by the monitored imagingapplication.
 4. The method of claim 1, wherein monitoring the filesystem for the digital image file modified by the monitored imagingapplication comprises in response to input received at an inputinterface, scanning the file system for a digital image file modified bythe monitored imaging application.
 5. The method of claim 1, whereintaking the action comprises processing the digital image file to modifythe at least some content.
 6. The method of claim 1, wherein taking theaction comprises generating a notification based on the violation. 7.The method of claim 6, wherein the notification identifies the monitoredimaging application.
 8. The method of claim 6, wherein the notificationprompts for adjusting a setting associated with the monitored imagingapplication.
 9. The method of claim 6, wherein the notification providesan option to modify the digital image file to comply with the policy.10. The method of claim 9, the method further comprising: receivinginput at an input interface selecting the option to modify the digitalimage file to comply with the policy; and in response to receiving inputfrom an input interface selecting the option to modify the digital imagefile, modifying the digital image file.
 11. A computing devicecomprising: a memory; and a processor coupled with the memory, theprocessor configured to: obtain a policy to be used by a master imagingapplication; monitor a file system for a digital image file modified bya monitored imaging application; determine that the digital image fileincludes at least some content in violation of a defined setting for themaster imaging application; and in response to determining that thedigital image file includes at least some content in violation of thedefined setting for the master imaging application, take an action. 12.The device of claim 11, wherein the processor configured to monitor thefile system for the digital image file modified by the monitored imagingapplication comprises the processor configured to continuously monitorthe file system and automatically detect, in real-time, the modificationof the digital image file by the monitored imaging application.
 13. Thedevice of claim 11, wherein the processor configured to monitor the filesystem for the digital image file modified by the monitored imagingapplication comprises the processor configured to automaticallyperiodically scan the file system for a digital image file modified bythe monitored imaging application.
 14. The device of claim 11, theprocessor further configured to take the action comprises the processorconfigured to process the digital image file to modify the at least somecontent.
 15. The device of claim 11, the processor further configured totake the action comprises the processor configured to generate anotification based on the violation.
 16. The device of claim 15, whereinthe notification identifies the monitored imaging application.
 17. Thedevice of claim 15, wherein the notification prompts for adjusting asetting associated with the monitored imaging application.
 18. Thedevice of claim 15, wherein the notification provides an option tomodify the digital image file to comply with the policy.
 19. The deviceof claim 18, the processor further configured to: receive input at aninput interface selecting the option to modify the digital image file tocomply with the policy; and in response to receiving input from an inputinterface selecting the option to modify the digital image file, modifythe digital image file.
 20. A non-transitory computer-readable storagemedium storing processor-executable instructions to detect a privacyviolation in an image file, the method, wherein the processor-executableinstructions, when executed by a processor, are to cause the processorto: obtain a policy to be used by a master imaging application; monitora file system for a digital image file modified by a monitored imagingapplication; determine that the digital image file includes at leastsome content in violation of a defined setting for the master imagingapplication; and in response to determining that the digital image fileincludes at least some content in violation of the defined setting forthe master imaging application, take an action.